According to Internet services company Netcraft’s
latest poll, open source Web sites dominate the Web site market. The
November 2005 survey found that Apache Web servers run on 70 percent of all Web
sites. In addition, almost every reputable site that asks you for any personal
information will do so using the Secure Sockets Layer (SSL) protocol.

The overwhelming number of open source Web sites and the
widespread use of OpenSSL to secure connections create a tremendous problem
when vulnerabilities emerge. For example, in October 2005, the OpenSSL.org
Project released a patch to fix a vulnerability in all previously released
versions of OpenSSL (i.e., all versions up to 0.9.7h and 0.9.8a). For more
details about this vulnerability, see
the Secunia advisory.

The vulnerability involves a problem with the use of the SSL_OP_MSIE_SSLV2_RSA_PADDING
configuration option. Using the SSL_OP_ALL option automatically enables this other
option by default.

The SSL_OP_MSIE_SSLV2_RSA_PADDING option is a common
configuration workaround that disables a verification step in the SSL 2.0
server, which supposedly prevents active protocol-version rollback attacks. That
means an attacker acting as a “man in the middle” can’t force a
client and server to negotiate the SSL 2.0 protocol, even if these parties both
support SSL 3.0 or TLS 1.0. This is intentional due to previously discovered
cryptographic weaknesses in SSL 2.0.

This workaround’s original purpose was to address
interoperability issues between Web servers and the secure applications they
serve. This is a classic case of two open source vendors trying to support every
conceivable function that a Webmaster might enable on a Web site.

However, in this case, the lack of any application standards
has led to a vulnerability that affects roughly three-fourths of all Web sites
and comes preinstalled on Red Hat Linux. The OpenSSL Project has published a new version to address this issue and recommends immediate
deployment. A patch is also available for
those sites that can’t upgrade due to interoperability problems with served
applications.

While the issue of a newly discovered vulnerability that affects
a large percentage of the computers running on the Internet has become quite
common, the problem goes much deeper. One of the most persistent problems with
software is patch management—and the larger the enterprise, the larger the
problem.

Microsoft has taken steps to address this issue with
Automatic Updates service. In my opinion, the software company has done a good
job of notifying users of available patches and updates.

On the other hand, the open source community continues to
struggle with developing an integrated patch management solution. Most
administrators have little time to check for patches or read vulnerability
notices—if they’ve even signed up to receive them. That’s why it’s essential to
know exactly what you’ve deployed on your systems and to check regularly for
updates for that software.

Final thoughts

Before you start posting angry comments in this article’s
discussion, let me stress that I am not advocating dumping open source in favor
of Microsoft. Rather, I am campaigning for the open source market to address
the problem of patch management and to integrate third-party software into its solution.

If you run a system that connects to the Internet, it’s
imperative that you know what software is on that system—and keep it up to
date. If you don’t patch the holes in your system, it’s only a matter of time
before someone else exploits them.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.